Check out the new USENIX Web site. next up previous
Next: Introduction

{\sfblarger My Botnet is Bigger than Yours (Maybe, Better than Yours)} :
{\sfblarge why size estimates remain challenging}

Moheeb Abu Rajab     Jay Zarfoss     Fabian Monrose     Andreas Terzis
Computer Science Department
Johns Hopkins University

Abstract:

As if fueled by its own fire, curiosity and speculation regarding botnet sizes abounds. Among researchers, in the press, and in the classroom--the questions regarding the widespread effect of botnets seem never-ending: what are they? how many are there? what are they used for? Yet, time and time again, one lingering question remains: how big are today's botnets? We hear widely diverging answers. In fact, some may argue, contradictory. The root cause for this confusion is that the term botnet size is currently poorly defined. We elucidate this issue by presenting different metrics for counting botnet membership and show that they lead to widely different size estimates for a large number of botnets we tracked. In particular, we show how several issues, including cloning, temporary migration, and hidden structures significantly increase the difficulty of determining botnet size with any accuracy. Taken as a whole, this paper calls into question speculations about botnet size, and more so, questions whether size really matters.





Fabian Monrose 2007-04-03